Adobe announcement cranks up chatter on vendor auto updates

Earlier this month, Adobe announced that it is going to beta an automatic updater for its products in response to the surge of attacks against its software — Reader, Acrobat, and Flash.

According to McAfee’s threat prediction report for 2010, Reader and Flash will replace the Microsoft operating system as the primary targets for malware attacks in 2010. That’s bad news for all of us since these products are nearly ubiquitous for both home users and corporations.

While I give Adobe credit for taking some action — much like I gave them credit for adopting a quarterly patch cycle — silent patching with an auto updater is not a good answer for businesses of any size. Why? Loss of control. With auto updates, businesses can’t determine if or when or how a patch is applied. They can’t control when the auto updater service runs or where it pulls updates from or what updates are going to be installed. Adobe says it will provide some control to the end user — which is fine for home users, but that’s not who has responsibility for patching in businesses.

Businesses need to centralize control over the patching process. They need to control if and when to patch, how and when systems will be rebooted, and they need to have proof that patches were successfully deployed. Adobe and other vendors who create auto updaters are asking you to operate your business on blind faith. If more and more vendors follow Adobe’s lead, our systems will be slowed by updaters vying for CPU and our network bandwidth will be clogged with multiple updaters downloading the same patch hundreds or thousands of times.

That sounds like a recipe for chaos. And readers/subscribers of patchmanagement.org seem to agree.